Who has Utah patients' health data, and is it secure?

This is an archived article that was published on sltrib.com in 2012, and information in the article may be outdated. It is provided only for personal research purposes and may not be reprinted.

Corky Shill isn't sure who is most to blame for her husband's Social Security number being compromised.

Utah technology and health officials failed to safeguard the Medicaid server that hackers broke into last month. But a hospital, doctor or billing company somewhere is also at fault, she says, for sending her husband's information to the server for no good reason.

"It's greed or laziness," says Shill, noting that her 61-year-old husband, J. Martin Shill, has been privately insured for 40 years. "My husband has never been on Medicaid. So why in the world would they try to bill it?"

Hospitals say they don't "ping" Utah's Medicaid Eligibility system routinely, or with all patients. They say they do it for patients who are uninsured, those who claim to be on Medicaid and those with past-due medical bills.

But the fact that the information of insured patients and retirees on Medicare was exposed in Utah's Medicaid breach suggests otherwise  and has health consumers, like Shill, wondering, "Who else has my information and how is it being used?"

Turns out, there's no simple answer.

Utah's major hospitals share medical diagnoses and information about treatments with insurance companies.

They also give patient names, addresses and such to "revenue management" companies such as Texas-based eScan Data Systems and Cardon Health, which help patients enroll in state and federal safety net programs and crime victim funds.

"If we find they are eligible for Medicaid, that's a good thing for patients who incur less personal expense and a good thing for the hospital because we spend less on collections," said Daron Cowley, a spokesman at Intermountain Healthcare.

The University of Utah provides the same information for Cardon to determine eligibility.

When it comes to collecting on bad debt  $46 million was tallied by the U. in the past fiscal year  the U. initially provides its contracted debt collector, Express Recovery Services, with the patient's name, address, amount owed, dates of service and billing history.

If Express takes the patient to court, the U. would provide the company with information about the patient's treatment.

"What we'd be trying to prove is that we provided a service and are owed payment for it," said U. spokesman Christopher Nelson.

But using Express is considered a last resort. U. employees attempt to collect on bills three times over several months before they seek help from the Attorney General's Office, which has the power to place liens on state tax returns. If that doesn't work  if there are no tax returns to garnish  the bill is turned over to Express.

All this is explained on privacy notices that patients sign when they visit the doctor or hospital.

The U.'s disclosure, available online, says: "We keep billing records that include payment information and documentation of the services provided to you. Your information may be used to obtain payment from you, your insurance company, or another third party."

But what that means in practice isn't always clear, say patients and consumer advocates.

"Most people assume that their conversation with the doctor stays inside the exam room. They see information goes into a paper file and think that's where it stops," said Lillie Coney, associate director of the Electronic Privacy Information Center in Washington, D.C. "I don't think people understand how medical data moves around, especially older persons."

"But privacy protection is not just a matter of protecting data," Coney said. "It's also about transparency, the ability of an individual to know who has access to their information and how it's used, and accountability when there are problems."

If Shill signed a permission slip, she doesn't remember it.

"I give papers back to doctors all the time and say, 'I won't sign this,' " said the Salt Lake City woman.

But what bothers her most is the Utah Department of Health's refusal to say who, among the many providers her husband has recently seen, plugged her husband's name into the Medicaid server.

"I talked to Jordan Valley Hospital, his doctor, David Zackerson, Granger Medical Center, an urgent care, and none of them admit releasing it. So who did?" she said. "I think we have a right to know where this came from, so we can confront that person and ask them, 'Why did you do this, when we have insurance and we pay our bills?' It is, after all, our information."

Health Department spokesman Tom Hudachko says weeding through all the compromised data to identify individual providers would have to be done manually.

The hacked server was live and online for just three months and contained 6 million eligibility inquiries, most of which were duplicates.

Billing companies often start by sending just a patient's name, he said. If that yields no hits, they send a name and address, then a name, address, birth date and Social Security number.

IASIS-owned Jordan Valley Hospital alone sent more than 1 million inquiries.

"It gives you a sense of how much data we had to sort through to identify how many people were affected," Hudachko said, adding: "We don't want to vilify health providers. They send us this information with the expectation that it be kept secure."

Among the vendors used by IASIS are Cardon, eScan, Frost-Arnett and Chamberlin Edmonds in Tennessee, State Collections Service in Wisconsin and Medical Data Systems in Florida.

In an email, Ed Lamb, western division president for IASIS Healthcare, said patients can restrict the type of personal health information that is shared with such vendors.

But if the sheer volume of data changing hands is worrisome, so is the growing breadth of information.

Security breaches aren't limited to government agencies. Private insurance companies, pharmacies and hospitals have been cited by federal officials for security failures.

Billing companies also make mistakes, such as Accretive Health Inc., the embattled debt collector that lost tens of thousands of Minnesota patients' data when an employee's laptop computer was stolen.

Minnesota Attorney General Lori Swanson is suing the Chicago-based company for violating HIPAA, and for its aggressive bedside collection tactics. The company has since started encrypting its data.

But documents obtained by Swanson show Accretive, in its dealings with nonprofit hospital chain Fairview Health Services, had access to more than just names and addresses.

A screen shot, obtained by a patient whose information was jeopardized, included the patient's name, gender, number of dependents, clinic and doctor. It contained numeric scores to predict the "complexity" of the patient, the probability of an inpatient stay, the dollar amount "allowed" to the provider and whether the patient is in "frail condition."

And it had fields for chronic conditions, from bipolar disorder to diabetes and lower back pain.

Cowley at Intermountain, which signed a five-year contract with Accretive in November, said, "No more information is being provided [to Accretive] than" has been shared in the past with other vendors. That means no medical diagnoses, he said, adding, "If we determine that Accretive is unable to uphold our standards and values, we are fully prepared to go in a different direction."

Consumers, though, feel helpless to protect themselves.

"It's just not his information, it's my credit cards, too," Shill said, noting they have joint bank accounts and file taxes together. If she knew where to go to complain, she said, "I'd go down there and rip someone out of their chair."

Reader comments on sltrib.com are the opinions of the writer, not The Salt Lake Tribune. We will delete comments containing obscenities, personal attacks and inappropriate or offensive remarks. Flagrant or repeat violators will be banned. If you see an objectionable comment, please alert us by clicking the arrow on the upper right side of the comment and selecting "Flag comment as inappropriate". If you've recently registered with Disqus or aren't seeing your comments immediately, you may need to verify your email address. To do so, visit disqus.com/account. See more about comments here.